Multiple services forwarded to DMZ servers



  • Still struggling with the migration from ipcop to pfsense.  I am rethinking the right approach rather than just replicating ipcop's functionality.

    I have a registered domain with no-ip.com (i.e. mydomain.net)

    My no-ip account has the following hosts associated:

    mydomain.net 98.114.XXX.YYY 
    ftp.mydomain.net 98.114.XXX.YYY
    messenger.mydomain.net 98.114.XXX.YYY
    www.mydomain.net 98.114.XXX.YYY

    I am looking to implement the following:

    reroute traffic to the right DMZ server on the basis of the port number(s):

    80, 443 -> 192.168.3.3 (hostname: web.mydomain.net)
    8025,143,993 -> 192.168.3.5 (hostname: mail.mydomain.net)
    5060, 10000:20000 -> 192.168.3.6 (hostname: phone.mydomain.net)
    5022 -> 192.168.3.3 (hostname: web.mydomain.net)

    Question.

    For clients (SIP phone, Jabber messenger, thunderbird mail etc) to be able to connect to these services from both inside and outside the LAN, should I augment to the list of hosts on no-ip for each service and then implement a corresponding Split DNS for the same hosts on pfSense? Or is there another approach?

    Thanks
    Renato


  • LAYER 8 Netgate

    reroute traffic to the right DMZ server on the basis of the port number(s):

    80, 443 -> 192.168.3.3 (hostname: web.mydomain.net)
    8025,143,993 -> 192.168.3.5 (hostname: mail.mydomain.net)
    5060, 10000:20000 -> 192.168.3.6 (hostname: phone.mydomain.net)
    5022 -> 192.168.3.3 (hostname: web.mydomain.net)

    Piece of cake.  But you didn't list any destination port translations. As outlined below, that can cause problems.

    For clients (SIP phone, Jabber messenger, thunderbird mail etc) to be able to connect to these services from both inside and outside the LAN, should I augment to the list of hosts on no-ip for each service and then implement a corresponding Split DNS for the same hosts on pfSense? Or is there another approach?

    If they are all configured to connect to an FQDN, I'd just put DNS host overrides to the inside local IP addresses and use split dns.  Doesn't look like you need to do anything on the hostnames.  Where you run into trouble is when you translate ports, too.  Say, if you translated connections to web.mydomain.net:8080 to 192.168.3.3:80.  They would need to add the socket when connecting from the outside and not add it on the inside.

    If you want the URLs/Bookmarks to be the same inside and out, you can't do that.  Or you at least have to translate the ports between LAN and DMZ too.


  • Moderator

    If you want the URLs/Bookmarks to be the same inside and out

    An option is to open a second port or create a forward/redirect on the local server to have the same external port number.

    This would allow the same bookmark to work for both the external and internal addresses.



  • Derelict

    Thanks for the quick reply.  Let me make sure I understand.

    Let's say I create a new hostname on no-ip, say sip.mydomain.net.

    I then create a split DNS entry in pfSense (i.e. DNS Resolver) for sip.mydomain.net pointing to 192.168.3.6.

    Next I create:

    1. a new Firewall Alias IP for sip.mydomain.net (pointing to 192.168.3.6), say Elastix_Server.
    2. a new Firewall Alias Ports for ports 5060, 10000-20000,  say Elastix_Ports
    3. Lastly, I create a NAT Port Forward rule:
          i) Interface: WAN
          ii) Protocol: UDP
          iii) Source Address: *
          iv) Source Port: *
          v) Destination Address: WAN address
          vi) Destination Ports: Elastix_Ports
          vii) NAT IP: Elastix_Server
          viii) NAT Ports: Elastix_Ports

    Questions:

    1. Will this work?
    2. Will I be able to configure the SIP client to point to "Domain" sip.mydomain.net and make sure that the softphone will be able to connect both inside and outside the LAN? Note: The SIp Phones and Softphones will be connecting to 192.168.1.X.

    Thanks for the clarification
    Renato


  • LAYER 8 Netgate

    As long as your destination ports and NAT ports are the same, you shouldn't have any trouble.

    Note: The SIp Phones and Softphones will be connecting to 192.168.1.X.

    Are you saying that when they are local, they will be on the 192.168.1.X subnet?

    That's fine.  As long as when they look up sip.mydomain.net they get 192.168.3.6 and there are firewall rules passing their traffic to that address you should be set.



  • OK, not sure if what I am seeing is a feature or a problem.

    I have registered a host sip.mydomain.net      98.114.XXX.YYY  on no-ip.  I can ping it without any problems from my ipcop setup.

    I switched over to pfsense. I then went to DNS Resolver and checked the following:

    1. Enabled DNS Resolver
    2. Enabled DNSSEC Support
    3. Enabled Forwarding Mode
    4. Enabled Register DHCP lease in the DNS Resolver
    5. Enabled Register DHCP static mapping in the DNS Resolver

    I then created a new entry under Host Overrides:
    Host: sip
    Domain: mydomain.net
    IP: 192.168.3.6

    I then went to Diagnostics -> DNS lookup and entered  sip.mydomain.net in the field.  The DNS lookup returned 98.114.XXX.YYY!

    I repeated the command some 6-7 times. only once it returned 192.168.3.6, the other times it returned the outside IP.

    What is causing this?

    Thanks again for the help
    Renato


Log in to reply